hmrhkr
/
Mailadminscript
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Erzwingung der Passwortänderung bei erstem Login ermöglicht (forcepwreset)

This commit is contained in:
Humorhenker 2019-11-25 23:27:36 +01:00
parent 1487e8b38c
commit 1566aeaf2f
4 changed files with 87 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
public/bin/changemailpw.php
View File

@ -22,12 +22,13 @@ try {
echo 'Connection failed'; echo 'Connection failed';
} }
session_start(); session_start();
if ($_SESSION['log'] == 1) { if ($_SESSION['log'] == 1 or $_SESSION['forcepwreset']) {
if ($_POST['newmailpw'] == $_POST['newmailpwrep']) { if ($_POST['newmailpw'] == $_POST['newmailpwrep']) {
$newmailpw = $_POST['newmailpw']; $newmailpw = $_POST['newmailpw'];
$oldmailpw = $_POST['oldmailpw']; $oldmailpw = $_POST['oldmailpw'];
if (strpos($newmailpw, "'") !== false) { if (strpos($newmailpw, "'") !== false) {
header("Location: ../settings.php?wrongsymbols=1"); if ($_SESSION['forcepwreset']) header("Location: ../index.php?wrongsymbols=1");
else header("Location: settings.php?wrongsymbols=1");
exit; exit;
} }
$mailusername = $_SESSION['username']; $mailusername = $_SESSION['username'];
@ -37,6 +38,10 @@ if ($_SESSION['log'] == 1) {
$sth->execute(array(':newmailusername' => $mailusername, ':newmaildomain' => $maildomain)); $sth->execute(array(':newmailusername' => $mailusername, ':newmaildomain' => $maildomain));
$result= $sth->fetchAll(); $result= $sth->fetchAll();
$oldpwhashed = $result[0]['password']; $oldpwhashed = $result[0]['password'];
if ($_SESSION['forcepwreset'] and password_verify($newmailpw, $oldpwhashed)) {
header("Location: ../index.php?newpwequal=1");
exit;
}
if (password_verify($oldmailpw, $oldpwhashed)) { if (password_verify($oldmailpw, $oldpwhashed)) {
if (strlen($newmailpw) >= 8) { if (strlen($newmailpw) >= 8) {
$newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]); $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]);
@ -51,23 +56,32 @@ if ($_SESSION['log'] == 1) {
// exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw)); // exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw));
// } // }
//} //}
if ($_SESSION['forcepwreset']) {
$_SESSION['forcepwreset'] = 0;
$_SESSION['log'] = 1;
$eintrag = "UPDATE `accounts` SET `forcepwreset` = '0', `enabled` = '1' WHERE `username` LIKE :mailusername AND `domain` LIKE :maildomain";
$sth = $dbh->prepare($eintrag);
$sth->execute(array(':mailusername' => $mailusername, ':maildomain' => $maildomain));
}
header("Location: ../settings.php?success=1"); header("Location: ../settings.php?success=1");
exit; exit;
} }
else { else {
header("Location: ../settings.php?pwtoshort=1"); if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwtoshort=1");
else header("Location: ../settings.php?pwtoshort=1");
exit; exit;
} }
} }
else { else {
header( "Location: ../settings.php?pwmissmatch=1"); if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwmissmatch=1");
else header( "Location: ../settings.php?pwmissmatch=1");
exit; exit;
} }
} }
else { else {
header("Location: ../settings.php?pwnotequal=1"); if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwnotequal=1");
else header("Location: ../settings.php?pwnotequal=1");
exit; exit;
} }
} }
header("Location: index.php"); header("Location: ../index.php");
?>

39
public/bin/forcedpwreset.php Normal file
View File

@ -0,0 +1,39 @@
<?php
/* Mailadminscript
Copyright (C) 2019 Paul Schürholz contact AT roteserver . de
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */
$config = parse_ini_file('../../private/config.ini');
try {
$dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
} catch (PDOException $e) {
//echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen
echo 'Connection failed';
}
session_start();
if ($_SESSION['log']) {
header("Location: ../settings.php");
exit;
}
if ($_SESSION['forcepwreset']) {
echo '<h3>Du musst erstmal dein Passwort ändern:</h3>
<form name="changemailpw" method=POST action="changemailpw.php">
<label>Altes Passwort: <input type="password" name="oldmailpw"/></label>
<label>Neues Passwort: <input type="password" name="newmailpw"/>(min. 8 Zeichen, benutze nicht ' . "'" . ')</label>
<label>Neue Passwort wiederholen: <input type="password" name="newmailpwrep"/></label>
<input type="submit" value="Abschicken"/></form>';
echo '<br><a href="../logout.php"><button>Logout</button></a>';
}
else header("Location: ../index.php");
?>

20
public/index.php
View File

@ -19,16 +19,32 @@ $config = parse_ini_file('../private/config.ini');
if (!isset($_SESSION['log']) OR $_SESSION['log'] != 1) { if (!isset($_SESSION['log']) OR $_SESSION['log'] != 1) {
echo '<html> echo '<html>
<head> <head>
<title>Login</title>
</head> </head>
<body>'; <body>';
if (isset($_GET['badlogin'])) { if (isset($_GET['badlogin'])) {
echo '<p>falsche Logindaten</p>'; echo '<p>falsche Logindaten</p>';
} }
if (isset($_GET['pwnotequal'])) {
echo '<h3>Passwörter nicht gleich!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
}
if (isset($_GET['pwtoshort'])) {
echo '<h3>eingegebe Passwörter sind zu kurz!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
}
if (isset($_GET['pwmissmatch'])) {
echo '<h3>Das eingegebene aktulle Passwort stimmt nicht!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
}
if (isset($_GET['wrongsymbols'])) {
echo '<h3>eingegebe Passwörter enthalten unerlaubte Symbole!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
}
if (isset($_GET['newpwequal'])) {
echo '<h3>Das neue Passwort entspricht dem alten!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
}
echo '<a href="webmail"><h2>Webmail</h2></a> echo '<a href="webmail"><h2>Webmail</h2></a>
<h2>Config-Login:</h2> <h2>Config-Login:</h2>
<form method="POST" action="login.php"> <form method="POST" action="login.php">
<label>Nutzername<input name="username" type="text"/></label> <label>Nutzername:<input name="username" type="text"/></label>
<label>Passwort<input name="password" type="password"/></label> <label>Passwort:<input name="password" type="password"/></label>
<input name="Submit" type="submit" value="Einloggen"/> <input name="Submit" type="submit" value="Einloggen"/>
</form>'; </form>';
if ($config['allowregistration']) { if ($config['allowregistration']) {

11
public/login.php
View File

@ -25,17 +25,24 @@ try {
$user = explode('@', $_POST['username']); $user = explode('@', $_POST['username']);
$pw = $_POST['password']; $pw = $_POST['password'];
$abfrage = "SELECT `id`, `password`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1'"; $abfrage = "SELECT `id`, `password`, `forcepwreset`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1' OR (`enabled`='0' AND `forcepwreset`='1')";
$sth = $dbh->prepare($abfrage); $sth = $dbh->prepare($abfrage);
$sth->execute(array(':username' => $user[0], ':domain' => $user[1])); $sth->execute(array(':username' => $user[0], ':domain' => $user[1]));
$userdata = $sth->fetchAll(); $userdata = $sth->fetchAll();
if ($sth->rowCount() > 0) { if ($sth->rowCount() > 0) {
if (password_verify($pw, $userdata[0]['password'])) { if (password_verify($pw, $userdata[0]['password'])) {
$_SESSION['log'] = 1;
$_SESSION['username'] = $user[0]; $_SESSION['username'] = $user[0];
$_SESSION['domain'] = $user[1]; $_SESSION['domain'] = $user[1];
$_SESSION['admin'] = $userdata[0]['admin']; $_SESSION['admin'] = $userdata[0]['admin'];
$_SESSION['mailID'] = $userdata[0]['id']; $_SESSION['mailID'] = $userdata[0]['id'];
if ($userdata[0]['forcepwreset']) {
$_SESSION['forcepwreset'] = 1;
$_SESSION['log'] = 0;
header("Location: bin/forcedpwreset.php");
exit;
}
$_SESSION['forcepwreset'] = 0;
$_SESSION['log'] = 1;
header("Location: settings.php"); header("Location: settings.php");
exit; exit;
} }